OpenWrt系統安全改進 --- 使能PAM

使能BUSYBOX的PAM

1 修改.config

make menuconfig 、base system、 busybox、 Login ...、Support for PAM

2 修改package/busybox下的Makefile

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 3380885..668679e 100644
— a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -17,7 +17,7 @@ PKG_SOURCE_URL:=http://www.busybox.net/downloads \
http://distfiles.gentoo.org/distfiles/
PKG_MD5SUM:=337d1a15ab1cb1d4ed423168b1eb7d7e

-PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc
+PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
PKG_BUILD_PARALLEL:=1
PKG_CHECK_FORMAT_SECURITY:=0

@@ -42,7 +42,7 @@ define Package/busybox
MAINTAINER:=Felix Fietkau <[email protected]>
TITLE:=Core utilities for embedded Linux
URL:=http://busybox.net/

• DEPENDS:=+BUSYBOX_USE_LIBRPC:librpc
  + DEPENDS:=+BUSYBOX_USE_LIBRPC:librpc +BUSYBOX_CONFIG_PAM:libpam
  MENU:=1
  endef

@@ -80,6 +80,12 @@ ifdef CONFIG_BUSYBOX_USE_LIBRPC
LDLIBS += rpc
endif

+ifdef CONFIG_BUSYBOX_CONFIG_PAM
+ TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include
+ export LDFLAGS=$(TARGET_LDFLAGS)
+ LDLIBS += pam pam_misc pthread
+endif
+
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \

 

3 確認PAM編譯成功

root@SFP:/# ldd bin/busybox
libcrypt.so.0 => /lib/libcrypt.so.0 (0x77911000)
libm.so.0 => /lib/libm.so.0 (0x778ec000)
libpam.so.0 => /lib/libpam.so.0 (0x778d1000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x778bf000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7789c000)
libc.so.0 => /lib/libc.so.0 (0x77830000)
libdl.so.0 => /lib/libdl.so.0 (0x7781c000)
ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x77938000)

4 驗證PAM

             命令行下輸入login，無論什麼用戶名都會返回失敗，需要增加/etc/pam.conf才能正常login

OTHER auth required /lib/security/pam_unix.so
OTHER account required /lib/security/pam_unix.so
OTHER password required /lib/security/pam_unix.so
OTHER session required /lib/security/pam_unix.so

5 調試記錄

 make menuconfig 、base system、 busybox、 Login ...、Support for PAM
  ERROR ：loginutils/login.c:29:32: fatal error: security/pam_appl.h: No such file or directory
  USELESS : make menuconfig 、 Library、libpam

  cp feeds/packages/libs/libpam/ to packages/libpam( Maybe not neccessary )
  add dependency of busybox to libpam
  EFFECT : busybox compile success

  ERROR :  login.c:(.text.login_main+0x49c): undefined reference to `pam_getenvlist'
  package/busybox Makefile add LDLIBS += pam pam_misc

  ERROR :  cannot find -lpam / cannot find -lpam_misc
  刪除build_dir下的pam和busybox重編，修改busybox Makefile

  ERROR :  pam 沒有生效
  單獨執行busybox下的make menuconfig，使ENABLE_PAM爲1

  ERROR :  輸入login返回失敗Login incorrect
  創建/etc/pam.conf

6 心得體會

最後鄙視一下Baidu，在上面找了三天勉勉強強把功能做了出來，用google一搜，第一頁就有教怎麼實現這個功能的。